Stored Cross-Site Scripting Vulnerability in Phproject by Alanaktion
CVE-2025-57768

6.9MEDIUM

Key Information:

Vendor: Alanaktion
Status: PHProject
Vendor: CVE Published:; 21 August 2025

What is CVE-2025-57768?

Phproject, a full-featured project management system, is affected by a Stored Cross-Site Scripting vulnerability present in versions 1.8.0 to 1.8.2. This vulnerability occurs due to a lack of proper HTML encoding and sanitization in the Planned Hours field when creating new projects. An attacker can send a specially crafted payload through a POST request to the /issues/new/ endpoint, which is then reflected in the server's response. This enables the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially compromising user data and system security. The issue has been addressed in version 1.8.3, and users are urged to upgrade to this version to mitigate the risk.

Affected Version(s)

phproject >= 1.8.0, < 1.8.3

References

https://github.com/Alanaktion/phproject/security/advisori...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2025
Vulnerability Reserved
Aug 19, 2025